mirror of
https://github.com/mozilla/cipherscan.git
synced 2024-11-04 23:13:41 +01:00
Update README.md
This commit is contained in:
parent
051f927fcd
commit
ac15fc738d
199
README.md
199
README.md
@ -1,51 +1,55 @@
|
||||
CipherScan
|
||||
==========
|
||||
A very simple way to find out which SSL/TLS ciphersuites are supported by a target.
|
||||
|
||||
Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations. Cipherscan uses the `openssl s_client` command line to run the tests.
|
||||
```bash
|
||||
$ ./cipherscan jve.linuxwall.info
|
||||
........................
|
||||
Target: jve.linuxwall.info:443
|
||||
|
||||
On Linux x86_64 run: ./cipherscan www.google.com:443
|
||||
On any other *nix or *tux run: ./cipherscan -o /path/to/openssl www.google.com:443
|
||||
and watch.
|
||||
prio ciphersuite protocols pfs_keysize
|
||||
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
|
||||
2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits
|
||||
3 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,2048bits
|
||||
4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,2048bits
|
||||
5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
|
||||
6 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
||||
7 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits
|
||||
8 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
||||
9 DHE-RSA-AES128-SHA256 TLSv1.2 DH,2048bits
|
||||
10 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
|
||||
11 DHE-RSA-AES256-SHA256 TLSv1.2 DH,2048bits
|
||||
12 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
|
||||
13 AES128-GCM-SHA256 TLSv1.2
|
||||
14 AES256-GCM-SHA384 TLSv1.2
|
||||
15 AES128-SHA256 TLSv1.2
|
||||
16 AES256-SHA256 TLSv1.2
|
||||
17 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
|
||||
18 AES256-SHA TLSv1,TLSv1.1,TLSv1.2
|
||||
19 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
|
||||
20 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2
|
||||
21 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,2048bits
|
||||
22 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2
|
||||
23 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
|
||||
|
||||
The newer your version of openssl, the better results you'll get. Versions
|
||||
of OpenSSL below 1.0.1 don't support TLS1.2 ciphers, elliptic curves, etc... Build your own or test what your system's OpenSSL supports.
|
||||
|
||||
Cipherscan should work fine on Linux, Mac OS X, Solaris, Illumos, SmartOS, OpenIndiana if you specify a an openssl binary with -o.
|
||||
|
||||
Build OpenSSL with ChaCha20-Poly1305 support (Optional)
|
||||
-------------------------------------------------------
|
||||
|
||||
The OpenSSL binary in this repository is built for 64bit Linux. If you wish to build a version with the same features for your own platform, [the snapshot from the OpenSSL gitweb view](http://git.openssl.org/gitweb/?p=openssl.git;a=tree;h=161b23361778c155f9c174694b1db2506a2e0b52;hb=9a8646510b) and build it like this:
|
||||
|
||||
```
|
||||
./config no-shared
|
||||
make
|
||||
Certificate: trusted, 2048 bit, sha256WithRSAEncryption signature
|
||||
TLS ticket lifetime hint: 300
|
||||
OCSP stapling: not supported
|
||||
Server side cipher ordering
|
||||
```
|
||||
|
||||
And get the binary from `app/openssl`. (`./config` will ask you to run `make depend` which will fail - for our purposes this step is not required)
|
||||
Cipherscan tests the ordering of the SSL/TLS ciphers on a given target, for all major versions of SSL and TLS. It also extracts some certificates informations, TLS options, OCSP stapling and more. Cipherscan is a wrapper above the `openssl s_client` command line.
|
||||
|
||||
Options
|
||||
-------
|
||||
Cipherscan is meant to run on all flavors of unix. It ships with its own built of OpenSSL for Linux/64 and Darwin/64. On other platform, it will use the openssl version provided by the operating system (which may have limited ciphers support), or your own version provided in the `-o` command line flag.
|
||||
|
||||
```
|
||||
-a | --allciphers Test all known ciphers individually at the end.
|
||||
-b | --benchmark Activate benchmark mode.
|
||||
-d | --delay Pause for n seconds between connections
|
||||
-D | --debug Output ALL the information.
|
||||
-h | --help Shows this help text.
|
||||
-j | --json Output results in JSON format.
|
||||
-o | --openssl path/to/your/openssl binary you want to use.
|
||||
-v | --verbose Increase verbosity.
|
||||
```
|
||||
Examples
|
||||
--------
|
||||
|
||||
Example
|
||||
-------
|
||||
|
||||
Testing plain SSL/TLS:
|
||||
```
|
||||
linux $ ./cipherscan www.google.com:443
|
||||
Basic test:
|
||||
```bash
|
||||
$ ./cipherscan google.com
|
||||
...................
|
||||
Target: google.com:443
|
||||
|
||||
prio ciphersuite protocols pfs_keysize
|
||||
1 ECDHE-RSA-CHACHA20-POLY1305 TLSv1.2 ECDH,P-256,256bits
|
||||
2 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
|
||||
@ -62,11 +66,14 @@ prio ciphersuite protocols pfs_keysize
|
||||
13 AES256-GCM-SHA384 TLSv1.2
|
||||
14 AES256-SHA256 TLSv1.2
|
||||
15 AES256-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
||||
16 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
||||
17 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
||||
18 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
|
||||
16 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
|
||||
17 ECDHE-RSA-DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
|
||||
18 DES-CBC3-SHA SSLv3,TLSv1,TLSv1.1,TLSv1.2
|
||||
|
||||
Certificate: trusted, 2048 bit, sha1WithRSAEncryption signature
|
||||
TLS ticket lifetime hint: 100800
|
||||
OCSP stapling: not supported
|
||||
Server side cipher ordering
|
||||
```
|
||||
|
||||
Testing STARTTLS:
|
||||
@ -108,111 +115,6 @@ $ /cipherscan -j -starttls xmpp jabber.ccc.de:5222
|
||||
],
|
||||
"trusted": "False",
|
||||
"pfs": "DH,1024bits"
|
||||
},
|
||||
{
|
||||
"cipher": "AES256-SHA",
|
||||
"protocols": [
|
||||
"SSLv3",
|
||||
"TLSv1"
|
||||
],
|
||||
"pubkey": [
|
||||
"2048"
|
||||
],
|
||||
"sigalg": [
|
||||
"sha1WithRSAEncryption"
|
||||
],
|
||||
"trusted": "False",
|
||||
"pfs": "None"
|
||||
},
|
||||
{
|
||||
"cipher": "EDH-RSA-DES-CBC3-SHA",
|
||||
"protocols": [
|
||||
"SSLv3",
|
||||
"TLSv1"
|
||||
],
|
||||
"pubkey": [
|
||||
"2048"
|
||||
],
|
||||
"sigalg": [
|
||||
"sha1WithRSAEncryption"
|
||||
],
|
||||
"trusted": "False",
|
||||
"pfs": "DH,1024bits"
|
||||
},
|
||||
{
|
||||
"cipher": "DES-CBC3-SHA",
|
||||
"protocols": [
|
||||
"SSLv3",
|
||||
"TLSv1"
|
||||
],
|
||||
"pubkey": [
|
||||
"2048"
|
||||
],
|
||||
"sigalg": [
|
||||
"sha1WithRSAEncryption"
|
||||
],
|
||||
"trusted": "False",
|
||||
"pfs": "None"
|
||||
},
|
||||
{
|
||||
"cipher": "DHE-RSA-AES128-SHA",
|
||||
"protocols": [
|
||||
"SSLv3",
|
||||
"TLSv1"
|
||||
],
|
||||
"pubkey": [
|
||||
"2048"
|
||||
],
|
||||
"sigalg": [
|
||||
"sha1WithRSAEncryption"
|
||||
],
|
||||
"trusted": "False",
|
||||
"pfs": "DH,1024bits"
|
||||
},
|
||||
{
|
||||
"cipher": "AES128-SHA",
|
||||
"protocols": [
|
||||
"SSLv3",
|
||||
"TLSv1"
|
||||
],
|
||||
"pubkey": [
|
||||
"2048"
|
||||
],
|
||||
"sigalg": [
|
||||
"sha1WithRSAEncryption"
|
||||
],
|
||||
"trusted": "False",
|
||||
"pfs": "None"
|
||||
},
|
||||
{
|
||||
"cipher": "RC4-SHA",
|
||||
"protocols": [
|
||||
"SSLv3",
|
||||
"TLSv1"
|
||||
],
|
||||
"pubkey": [
|
||||
"2048"
|
||||
],
|
||||
"sigalg": [
|
||||
"sha1WithRSAEncryption"
|
||||
],
|
||||
"trusted": "False",
|
||||
"pfs": "None"
|
||||
},
|
||||
{
|
||||
"cipher": "RC4-MD5",
|
||||
"protocols": [
|
||||
"SSLv3",
|
||||
"TLSv1"
|
||||
],
|
||||
"pubkey": [
|
||||
"2048"
|
||||
],
|
||||
"sigalg": [
|
||||
"sha1WithRSAEncryption"
|
||||
],
|
||||
"trusted": "False",
|
||||
"pfs": "None"
|
||||
}
|
||||
]
|
||||
}
|
||||
@ -220,7 +122,7 @@ $ /cipherscan -j -starttls xmpp jabber.ccc.de:5222
|
||||
|
||||
Analyzing configurations
|
||||
------------------------
|
||||
The motivation behind cipherscan is to help admins configure good TLS on their
|
||||
The motivation behind cipherscan is to help operators configure good TLS on their
|
||||
endpoints. To help this further, the script `analyze.py` compares the results of
|
||||
a cipherscan with the TLS guidelines from https://wiki.mozilla.org/Security/Server_Side_TLS
|
||||
and output a level and recommendations.
|
||||
@ -260,6 +162,11 @@ compatibility level they want to support. Again, refer to
|
||||
https://wiki.mozilla.org/Security/Server_Side_TLS for more information.
|
||||
|
||||
Note on Nagios mode:
|
||||
`analyse.py` can be ran as a nagios check with `--nagios`. The exit code will
|
||||
then represent the state of the configuration:
|
||||
* 2 (critical) for bad tls
|
||||
* 1 (warning) if it doesn't match the desired level
|
||||
* 0 (ok) if it matches.
|
||||
cipherscan can take more than 10 seconds to complete. To alleviate any timeout
|
||||
issues, you may want to run it outside of nagios, passing data through some
|
||||
temporary file.
|
||||
|
Loading…
Reference in New Issue
Block a user